Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot

Day 1 16:00 Ground en Security
Dec. 27, 2025 16:00-17:00
In August 2024, Raspberry Pi released their newest MCU: The RP2350. Alongside the chip, they also released the RP2350 Hacking Challenge: A public call to break the secure boot implementation of the RP2350. This challenge concluded in January 2025 and led to five exciting attacks discovered by different individuals. In this talk, we will provide a technical deep dive in the RP2350 security architecture and highlight the different attacks. Afterwards, we talk about two of the breaks in detail---each of them found by one of the speakers. In particular, we first discuss how fault injection can force an unverified vector boot, completely bypassing secure boot. Then, we showcase how double glitches enable direct readout of sensitive secrets stored in the one-time programmable memory of the RP2350. Last, we discuss the mitigation of the attacks implemented in the new revision of the chip and the lessons we learned while solving the RP2350 security challenge. Regardless of chip designer, manufacturer, hobbyist, tinkerer, or hacker: this talk will provide valuable insights for everyone and showcase why security through transparency is awesome.

The RP2350 is one of the first generally available microcontrollers with active security-features against fault-injection such as glitch-detectors, the redundancy co-processor, and other pieces to make FI attacks more difficult.

But security on paper often does not mean security in real-life. Luckily for us, Raspberry Pi also ran the RP2350 Hacking Challenge: A public bug bounty that has exactly these attacks in-scope. During the hacking challenge 5 different attacks were found on the secure-boot process - one of which was shown at 38C3 by Aedan Cullen.

In this talk, we talk about all successful attacks - including laser fault-injection, a reset glitch, and a double-glitch during execution of the bootrom - to show all the different ways in which a chip can be attacked.

We also talk about the awesomeness of an open security-ecosystem for chips: Raspberry Pi was very transparent on the findings, and worked with researchers to improve the new revision of the chip.

Speakers of this event

No avatar
stacksmashing

Thomas Roth, also known as stacksmashing, is a security researcher with focus on embedded systems. His published research includes research on vulnerabilities in microcontrollers, hardware wallets, industrial systems, TrustZone and mobile devices. He is also well known for publishing educational material on his YouTube channel “stacksmashing”, and released a lot of open-source hardware security tools, such as the chip.fail glitcher.t

  • Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot
No avatar
nsr
Die vortragende Person hat noch keine Beschreibung zu sich zur Verfügung gestellt.
  • Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot